NSAuditor AI EE 0.32.5: A Report-Quality and Routing-Integrity Release

NSAuditor AI Enterprise 0.32.5 (with Community Edition 0.2.30 and agent-skill 0.2.28) is a matrix-neutral release aimed at the part of the product an auditor actually reads: the “why this violates” paragraph, the JSON artifact handed to an assessor, and the machinery that proves a finding reached the control it claims to reach.

Nine mappings that matched nothing — and why that was not an exposure

An audit of the API Gateway auditor (plugin 1050) surfaced nine control-mapping rules that matched zero findings for their entire shipped life. Each had set its internal source to a category label instead of the auditor’s actual finding source, so the matcher never fired them.

The instinct is to call that a dangerous gap. It was not, and we checked before writing a word: removing all nine rules left the report output byte-identical, while removing the correctly-sourced catch-all rules instead collapsed the affected controls to a pass with zero findings. The catch-alls were doing all the work the whole time. A broken Lambda custom authorizer already failed SOC 2 CC6.1 and HIPAA §164.312(a)(1); a deleted WAF WebACL already failed CC6.6, A1.2 and §164.312(a)(1). There was no false clean and no unaddressed HIPAA Required-specification exposure.

The real defect was narrative. Because the engine takes the first matching rule, those findings rendered a stale rationale — one that described a capability the scanner had already shipped as not-yet-built — while the accurate, per-class explanation sat unreachable behind it. 0.32.5 re-sources eight of the nine so the precise explanation is the one that prints.

A HIPAA mapping we removed instead of fixing

The ninth rule mapped a WAF finding to HIPAA §164.312(c)(1) Integrity. Repairing it would have been the easy move; we deleted it instead. The rule’s rationale asserted a fail-open premise — unfiltered SQL-injection and cross-site-scripting traffic reaching the application — but the plugin’s own finding says the opposite: when the WAF association is missing in that configuration, the stage fails closed and returns 403 to every request. A stage that answers 403 alters no ePHI, so an Integrity mapping would be factually wrong in front of an assessor. The finding still routes CRITICAL to §164.312(a)(1) Access Control, and a doctrine test now pins the removal.

The one genuine false-clean, closed

Plugin 1100 (CI/CD) called codebuild:ListProjects. If that call returned AccessDenied, the failure was recorded only as a warning — and warnings route to zero controls. The result is the shape we treat as most serious in an audit tool: CI/CD controls reading clean over an inventory that was never enumerated. 0.32.5 folds that denial into the existing multi-region-enumeration-incomplete evidence gap, covering the whole symmetric family (enumerate and detail paths, under both AccessDenied and a generic throw).

Cleaner artifacts and harder guards

The JSON report no longer serializes each rule’s raw routing regex or internal source key; it projects the rule down to its rationale on both violations and positive substrate. The contract holds, and it landed deliberately before 1.0 — after the v1 freeze the same change would be a semver-major event. Three compliance guards were hardened, all mutation-proven: one had been suppressed by a comment that was simply not true (and now walks all seven frameworks rather than SOC 2 alone), one had quietly become a tautology after a refactor, and a new expected-unmapped table asserts by equality which producer-by-framework cells route to zero controls.

Honest about scope

No new framework, no new plugin — still 28 — and no coverage number moves; all seven matrices are byte-identical to 0.32.4 (SOC 2 10/4/33, HIPAA 7/3/45, NIST CSF 2.0 13/10/83, PCI DSS v4.0.1 19/9/39, ISO 27001 17/14/62, CIS Controls v8 17/23/113, GDPR Article 32 4/5/2). Exactly one item is a false-negative closure; the rest is report quality, artifact hygiene, mapping doctrine, and guard integrity. Community Edition 0.2.30 surfaces AWS Marketplace license registration in --help and license --status.

Full details: nsauditor.com/ai/enterprise.

]]>